OpenCTI-Platform/opencti 6.4.0

Version 6.4.0

on GitHub

Dear community, we're excited to announce the launch of OpenCTI 6.4! 🥳

This release has been mainly focused on solving the following pain points & unlocking the below use cases:

• Protect platforms from unwanted configurations changes, by implementing a danger zone
• Improve Mean Time To Response by facilitating actions on cases
• Facilitate Graph manipulation, by enabling a set of new actions
• Facilitate ingestion process, by making CVS mapper more flexible & improve errors on connectors
• Vulnerability management, by developing additional integrations

If our platform is flexible, sometimes this flexibility can be harmful when it some new users to the platforms perform some actions which can have a negative on their experience, such as remove the Enterprise Edition, changing the platform organisation, updating some built-in roles & groups.

This is the reason why we introduced the concept of Danger Zone 🚸.

**From the moment you will upgrade, certain area of the platform will be protected. This means you will not be able to edit them without having a new specific role capability. For more information regarding this feature, please go to the dedicated documentation

Quick and efficient incident response is essential for many organizations, yet managing participant assignments and case updates can often be time-consuming, slowing down response times.

To streamline incident management, we’ve introduced direct in-UI options for assigning participants and assignees, removing the need to open the modification panel. Additionally, we now support bulk operations for updating fields like creator, assignee, priority, severity, and type🖊️ directly from the list view.

These enhancements enable faster, more flexible incident management, giving teams the ability to quickly assign resources and update cases at scale.

To complement on this topic, one great feature added this release is also the ability to enroll a specific entity within the playbook 🤖: starting from 6.4, you can create a playbook with the first step being “Available for manual enrollment / trigger”. By creating this step without any filter & the rest of your workflow, you can now, when navigating to a container, “enroll this entity in a playbook” to have an automation running on this specific entity. This will unlock lots of use cases, for instance to apply specific measures to a particular entity that you need to follow.

Users frequently need to work with knowledge graphs to manipulate information within containers. However, adding entities to an established knowledge graph has been a challenge, as forces were automatically reapplied, disrupting the graph's layout and usability. So as creating a large number of relationships with a single entity led to problems of timeout.

In this release, we’ve refined the knowledge graph experience to support smoother interactions. Now, if you disable forces on your graph, it will maintain its layout when new entities are added 📈, preserving your custom configurations.

Additionally, with valuable input from the community, we’ve enhanced relationship management within reports. Users can now select all relationships linked to a node or choose to isolate either parent or child relationships 💡—simplifying bulk actions, such as removing relationships from a container.

Investigation graphs have also been reworked to improved the representation of file objects (observable).

Knowledge ingestion through CSV files offers flexibility, but handling custom formats can be challenging. Users need efficient ways to create mappers and manage conditional data.

To enhance CSV ingestion, we’ve introduced two key improvements to CSV mappers.

Firstly, we’ve added a duplication feature for CSV mappers (and feeds) 📁across both ingestion and data sharing, simplifying the mapper creation process.

Secondly, the new Conditional Mapping 🧪functionality allows users to map columns based on specific conditions—particularly useful when a single column contains multiple entity types. For instance, users can configure the mapper to recognize whether a row is an IP address or URL based on values in a separate column, streamlining entity classification.

Ingestion have also been improved with the ability to map a confidence level information on our score notion (x_opencti_score) when ingesting Indicators/Observables from a TAXII Feed.

Few releases back we have started our work towards unlocking some vulnerability management capabilities within the app.

This is why we have now introduced the Tenable Vulnerability Management connector. Thanks to this connector, you can now monitor your assets using our system entity within OpenCTI & get some corresponding vulnerabilities.

Additionally, systems now have a knowledge view 🪟 to see their related vulnerabilities & a new relationship type “system has vulnerability” 🔗 has been introduced too. Thanks to the work already done to add EPSS, KEV & connectors already built, in addition to these fields being supported in the playbooks, vulnerability management within OpenCTI becomes doable to a certain extent within the platform 🔥

Connectors are essential for data ingestion, yet diagnosing errors within connectors can be challenging and time-consuming. Clear error insights are crucial for efficient troubleshooting and to maintain data flow continuity.

To simplify error resolution, we’ve enhanced the error logging for connectors 💬. Now, within the error tab, users can view errors categorized under Critical, Warning, and All, allowing for immediate prioritization. Each error entry includes an improved, human-readable explanation along with a unique error code. This code links directly to documentation that provides specific troubleshooting steps, helping users quickly identify and address issues.

When it comes to troubleshooting, you also need to understand which are the users who have taken a given action, in order to be able to trace back & understand what did happen. Our logging have been improve thanks to the introduction of a filter on the “system” user. 👥

Outside of these use cases, we have tackled some additional various issues.

• We have ensured that in a container (or in the observable view), if you filter on one single observable type (in a report, using the right handside component), you can select-all and enrich all at once 🌎. This is will save you some time!
• When using AI within a report, the generation will offer the user to select the language of generation. By default, we will use user’s language to generate the report through AI ✨, so that it won’t change anything to your current flow.
• Within entities that contains a knowledge view about Attack Patterns, we have now introduce a flat list view of attack patterns 💡, in order to manipulate the attack pattern as entities & use the mass operations.
• We have also introduced the ability, when defining an email notification in the notifier, to add a suffix to the email notification URL 📨, so that you can redirect to the precise entity when receiving a notification.
• We’ve expanded dashboarding capabilities with a new widget —Cloud of Words📊—to give you more flexibility in dashboard creation.
• Opinions across all entities are now clickable 🕵️, allowing you to see who shared feedback and their specific comments. Additionally, a new opinion filter let you configure widgets 📊to display the distribution of entities based on the average of their associated opinions.
• New capability “Can use web interface export functions (PDF, PNG, etc.)” 🔒: it aims to control who can download images from a dashboard or a knowledge view & List groups & roles in alphabetical order 💡.
• You can now Disable the trash 📴 if you do not need it.
• Overall, we have also worked on security fixes & performance issues (for ingestion & deletion). Among security improvement, we have also added the ability to revoke & recreate a new token 🔒 for a user which would have seen its token leaked. Tokens & password are now hidden by default in UI🕵️.

In addition to Tenable connectors addition, two new enrichment connectors have also been added:

• RiskIQ Passive Total enrichment
• GreyNoise Vulnerability enrichment

We have also made a number of improvements to the Microsoft Sentinel, Tanium and Harfanglab connectors. The export of indicators and the import of incidents are now separated into two different connectors (stream & external-import).

On a finish note, we would like to thank you for your contributions 🙏 to our product, that helps making our product better: guillaumededrie, stefan1anuby, Bonsai8863, animedbz16, daimoyo007, cert-orangecyberdefense, polakovicp, DNRRomero, stefanbulof, annoyingapt, uTomasAnderson, bradchiapetta, brett-fitz, akhanafeer, mmolenda, initstring, Darkheir, WolfBytnner, Mathieu4141, DinkoReversingLabs, basvanschaik, curiouspython1.

Of course, a huge thank you to all for your contributions 🥇

We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.

Enhancements:

• #9054 Implement decryptionPvk in SAML 2
• #8897 Add a static parameter to fully disable the trash on the whole platform
• #8842 Show opinion comments in the report overview
• #8680 Add an option in TAXII feed ingestion to map confidence on x_opencti_score on Indicators and Observables
• #8614 Connectors/Ingestors and GUI error logs messages improvements
• #8558 Re-order entries in ingestion queue to have Connectors first
• #8485 Be able to click on opinion radar to open a dialog with the list of opinions and their details
• #8484 Being able to define a suffix for email notification URLs in the config of the notifier
• #8468 Unable to filter on system users in the activity logs
• #8467 Add a new capability to control frontend export (PDF / IMG) for knowledge graphs and dashboards
• #8378 Remove group of relation from container by selecting them from a graph
• #8284 Protect sensitive features and configurations from modifications
• #7862 Add words cloud widget and opinion (mean) widgets in dashboards
• #7844 Be able to manipulate creators in background tasks for admins
• #7657 Add marking definition name in the activity in addition to the ID
• #7504 Filter on report Type in playbook
• #7400 CSV mapper Improvement Phase 1
• #7299 When using AI, to generate text, be able to select the language and pre-fill with the user profile lang
• #7298 In knowledge graph, do not re-apply forces when adding a new entity (working already when adding a new relations)
• #7277 In dashboards, be able to configure a widget to draw distribution of entities using the average of their associated opinions
• #7158 Limit stix_ids explosion by rewriting the standard_id in client python
• #7088 Be able to trigger an entity in a playbook manually
• #7056 Hide password/tokens in UI
• #7050 Add enrichment CTA on System
• #6373 Add Attack Patterns to a Report from the Report's Matrix view
• #6049 Ability to update the assignee, priority, severity, type field through mass operation
• #5582 Enrichment icon disappears when using 'select-all' on the same type of observables.
• #4333 Quick button to add Assignees and Participants
• #4230 Add Attack pattern list in Knowledge/Attack pattern with massive operations

Bug Fixes:

• #8998 Align UI of edition drawers
• #8891 Order of roles / groups in the user overview
• #8783 When Disabling Forces in the Knowledge Graph, only one node moves when multiple are selected
• #8687 Container: in Source Mode, an HTML file is not scrollable
• #8684 When adding a relationship to a container assigned to someone, notification shows "unknown"
• #8578 Prevent entity details to re-render completely when tab changes
• #8379 Upgrade passport saml to 5.x
• #8313 Need to refresh to see added markings in Markings edition field
• #8227 Ensure that notes / opinions are both respecting the RBAC "knowledge feedback" and other aspects
• #8210 Search on autonomous system does not work
• #8006 [Workbench] entity type of created relationships doesn't appear at edition
• #6417 Actions not correctly displayed in tasks list

Pull Requests:

• [backend] Upgrade passeport-saml 5.0 (#8379) by @aHenryJard in #8657
• [frontend/backend] Migrate CK Editor to 9.3 (#8151) by @Archidoit in #8577
• [backend] observables value key added on resolver (#8312) by @ValentinBouzinFiligran in #8679
• [frontend] Improve vite config for development purpose (#8703) by @lndrtrbn in #8701
• [frontend] rework UI for connector error screen (#8614) by @frapuks in #8627
• [frontend] Enable enrichment with the selectAll of observables and stix-domain-objects of the same type (#5582) by @Gwendoline-FAVRE-FELIX in #8674
• [frontend/backend] Content from template for containers - Chunk 1 and 2 (#3402) by @Archidoit in #8553
• [frontend] fix assignee query to prevent impact on aliases (#4333) by @frapuks in #8747
• [frontend] Fixing node positions in graphs (#7298) by @Gwendoline-FAVRE-FELIX in #8722
• [frontend] Container content: Move download file actions directly in file line (#3402) by @lndrtrbn in #8757
• [backend] Implement exclusion lists pattern check (#8312) by @ValentinBouzinFiligran in #8702
• [frontend] Add some unit tests (#8804) by @lndrtrbn in #8805
• [frontend] connector errors UI - resolve entities - improve design (#8614) by @frapuks in #8801
• [backend/frontend] Danger zone: Add config in platform settings (#8284) by @marieflorescontact in #8741
• [frontend] rename parsedWorkError.tsx (#8614) by @frapuks in #8854
• [backend/frontend] Add capability to manually enroll an entity in a playbook (#7088) by @SamuelHassine in #8878
• [backend/frontend] Be able to manipulate creators in background tasks for admin (#7844) by @SamuelHassine in #8882
• [backend] Add marking definition labels in audit logs (#7657) by @SamuelHassine in #8879
• [frontend] Add word cloud widget in dashboards (#7862) by @SamuelHassine in #8883
• [backend/frontend] Enhance opinions display, ensure permissions are correct (#8227, #8485, #8842) by @SamuelHassine in #8885
• [backend/frontend] Add system users in available filters (#8468) by @SamuelHassine in #8888
• [backend/frontend] Introduce capability to control UI export buttons (#8467) by @SamuelHassine in #8887
• [backend] Add URL suffix in email notifiers and templates (#8484) by @SamuelHassine in #8889
• [backend/frontend] Implement option to map confidence to score in TAXII features (#8680) by @SamuelHassine in #8890
• [frontend] add current user first in assignee/participant field (#4333) by @frapuks in #8895
• [frontend] Mass operations (severity, priority, assignee...) on cases and containers (#6049) by @SarahBocognano in #8693
• [backend] add ability to validate draft and ingest it back through worker (#6577) by @JeremyCloarec in #8659
• [frontend] use doc_code for connector errors (#8614) by @frapuks in #8856
• [backend] add ability to enrich in draft context (#6577) by @JeremyCloarec in #8858
• [backend/frontend] Danger zone: Remove FF (#8284) by @marieflorescontact in #8905
• [frontend/backend] Outcome template Chunk 2.5 : Pdf generation & backend resolution (#3402) by @Archidoit in #8724
• [frontend] Allow all selected nodes to move when forces are desactivated (#8783) by @Gwendoline-FAVRE-FELIX in #8925
• [backend/frontend] Add dynamic mapping of entity in CSV Mapper (#7400) by @aHenryJard in #8582
• [backend] enable danger zone in default settings (#8284) by @labo-flg in #8971
• [backend/frontend] Implement opinions statistics and dashboard widget ordering customization (#7277) by @SamuelHassine in #8935
• [backend] Switch to opt-in feature flags by @labo-flg in #8921
• [backend] Refactor file check access to improve speed and efficiency by @richard-julien in #8847
• [frontend] Add enrichment CTA on System (#7050) by @delemaf in #8958
• [frontend] Add Attack Patterns to a Container from the Container's Matrix view (#6373) by @Archidoit in #8252
• [frontend] Hide password/tokens in UI (#7056) by @Gwendoline-FAVRE-FELIX in #8758
• [frontend] Update ingestion menu order (#8558) by @Kedae in #8989
• [backend] existing roles without danger zone capa are considered NOT … by @labo-flg in #8992
• [backend/frontend] align UI on rule activation/deactivation by @labo-flg in #8994
• [frontend] Fix of multiple values in massOperations (#6049) by @SarahBocognano in #8913
• [backend/frontend] allow to disable the trash on the platform (#8897) by @labo-flg in #8964
• [backend/frontend] implement draft workspace handling on UI (#6577) by @JeremyCloarec in #8658
• [Frontend] Remove FF for Public dashboards in workspace header by @CelineSebe in #9005
• [frontend] Fix Kill Chain list in Matrix view (#4230) by @Archidoit in #9008
• [backend] Implement exclusion list module (#8312) by @ValentinBouzinFiligran in #8898
• [frontend] Fix Hide token in sync edition and add token in sync creation (#7056) by @Gwendoline-FAVRE-FELIX in #9003
• [backend] Improve id generation for STIX elements (#7158) by @richard-julien in #8671
• [frontend] Actions not correctly displayed in tasks list - Only trad (#6417) by @SarahBocognano in #9010
• [frontend] fix scrollbar in list widget with headers by @labo-flg in #9050
• [backend] When adding a relationship to a container assigned to someone, notification shows unknown (#8684) by @ValentinBouzinFiligran in #9014
• [frontend] Fix mappable content download (#8976) by @Archidoit in #9051
• [frontend] Fix some alignment issues in drawers by @Kedae in #9044
• [frontend] Enhancing the conditional mapping form (#7400) by @CelineSebe in #9016
• Preparing release 6.4.0 by @labo-flg in #9055
• [frontend] [Workbench] entity type of created relationships doesn't appear at edition (#8006) by @SarahBocognano in #9058
• [frontend] Rollback unstable changes to csv mapper by @labo-flg in #9069
• [frontend] fix display of danger zone in roles (#8284) by @labo-flg in #9070

New Contributors:

• @delemaf made their first contribution in #8958

Full Changelog: 6.3.13...6.4.0